--- title: Gateway Changelog image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) Gateway ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) Apr 01, 2026 1. ### [Logs UI refresh](https://developers.cloudflare.com/changelog/post/2026-04-01-logs-ui-refresh/) [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) Access authentication logs and Gateway activity logs (DNS, Network, and HTTP) now feature a refreshed user interface that gives you more flexibility when viewing and analyzing your logs. ![Screenshot of the new logs UI showing DNS query logs with customizable columns and filtering options](https://developers.cloudflare.com/_astro/cf1-new-logs-ui.DxF4x0l-_mRSyH.webp) The updated UI includes: * **Filter by field** \- Select any field value to add it as a filter and narrow down your results. * **Customizable fields** \- Choose which fields to display in the log table. Querying for fewer fields improves log loading performance. * **View details** \- Select a timestamp to view the full details of a log entry. * **Switch to classic view** \- Return to the previous log viewer interface if needed. For more information, refer to [Access authentication logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/access-authentication-logs/) and [Gateway activity logs](https://developers.cloudflare.com/cloudflare-one/insights/logs/dashboard-logs/gateway-logs/). Mar 24, 2026 1. ### [OIDC Claims filtering now available in Gateway Firewall, Resolver, and Egress policies](https://developers.cloudflare.com/changelog/post/2026-03-24-oidc-claims-filtering-gateway-policies/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) Cloudflare Gateway now supports [OIDC Claims](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/#oidc-claims) as a selector in Firewall, Resolver, and Egress policies. Administrators can use custom OIDC claims from their identity provider to build fine-grained, identity-based traffic policies across all Gateway policy types. With this update, you can: * Filter traffic in [DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/), [HTTP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/), and [Network](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) firewall policies based on OIDC claim values. * Apply custom [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) to route DNS queries to specific resolvers depending on a user's OIDC claims. * Control [egress policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/) to assign dedicated egress IPs based on OIDC claim attributes. For example, you can create a policy that routes traffic differently for users with `department=engineering` in their OIDC claims, or restrict access to certain destinations based on a user's role claim. To get started, configure [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) on your identity provider and use the **OIDC Claims** selector in the Gateway policy builder. For more information, refer to [Identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/). Mar 04, 2026 1. ### [Gateway Authorization Proxy and hosted PAC files (open beta)](https://developers.cloudflare.com/changelog/post/2026-03-04-gateway-authorization-proxy-open-beta/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) The [Gateway Authorization Proxy](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and [PAC file hosting](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) are now in open beta for all plan types. Previously, [proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint) relied on static source IP addresses to authorize traffic, providing no user-level identity in logs or policies. The new authorization proxy replaces IP-based authorization with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) authentication, verifying who a user is before applying Gateway filtering without installing the WARP client. This is ideal for environments where you cannot deploy a device client, such as virtual desktops (VDI), mergers and acquisitions, or compliance-restricted endpoints. #### Key capabilities * **Identity-aware proxy traffic** — Users authenticate through your identity provider (Okta, Microsoft Entra ID, Google Workspace, and others) via Cloudflare Access. Logs now show exactly which user accessed which site, and you can write [identity-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/identity-selectors/) like "only the Finance team can access this accounting tool." * **Multiple identity providers** — Display one or multiple login methods simultaneously, giving flexibility for organizations managing users across different identity systems. * **Cloudflare-hosted PAC files** — Create and host [PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) directly in Cloudflare One with pre-configured templates for Okta and Azure, hosted at `https://pac.cloudflare-gateway.com//` on Cloudflare's global network. * **Simplified billing** — Each user occupies a seat, exactly like they do with the Cloudflare One Client. No new metrics to track. #### Get started 1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Networks** \> **Resolvers & Proxies** \> **Proxy endpoints**. 2. [Create an authorization proxy endpoint](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and configure Access policies. 3. [Create a hosted PAC file](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) or write your own. 4. [Configure browsers](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#3b-configure-browser-to-use-pac-file) to use the PAC file URL. 5. [Install the Cloudflare certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/) for HTTPS inspection. For more details, refer to the [proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/) and the [announcement blog post ↗](https://blog.cloudflare.com/gateway-authorization-proxy-identity-aware-policies/). Feb 27, 2026 1. ### [New protocols added for Gateway Protocol Detection (Beta)](https://developers.cloudflare.com/changelog/post/2026-02-27-new-protocol-detection-protocols/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) Gateway [Protocol Detection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/) now supports seven additional protocols in beta: | Protocol | Notes | | ------------ | -------------------------------------------------- | | IMAP | Internet Message Access Protocol — email retrieval | | POP3 | Post Office Protocol v3 — email retrieval | | SMTP | Simple Mail Transfer Protocol — email sending | | MYSQL | MySQL database wire protocol | | RSYNC-DAEMON | rsync daemon protocol | | LDAP | Lightweight Directory Access Protocol | | NTP | Network Time Protocol | These protocols join the existing set of detected protocols (HTTP, HTTP2, SSH, TLS, DCERPC, MQTT, and TPKT) and can be used with the _Detected Protocol_ selector in [Network policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) to identify and filter traffic based on the application-layer protocol, without relying on port-based identification. If protocol detection is enabled on your account, these protocols will automatically be logged when detected in your Gateway network traffic. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). Dec 17, 2025 1. ### [Shadow IT - domain level SaaS analytics](https://developers.cloudflare.com/changelog/post/2025-12-17-shadow-it-domain-analytics/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) Zero Trust has again upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. With this update, you can review data transfer metrics at the domain level, rather than just the application level, providing more granular insight into your data transfer patterns. ![New Domain Level Metrics](https://developers.cloudflare.com/_astro/shadow-it-domain.DoZnGAtf_Z1mHw4r.webp) These metrics can be filtered by all available filters on the dashboard, including user, application, or content category. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. Nov 06, 2025 1. ### [Applications to be remapped to the new categories](https://developers.cloudflare.com/changelog/post/2025-11-06-applications-recategorised-plan/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) We have previously added new application categories to better reflect their content and improve HTTP traffic management: refer to [Changelog](https://developers.cloudflare.com/cloudflare-one/changelog/gateway/#2025-10-28). While the new categories are live now, we want to ensure you have ample time to review and adjust any existing rules you have configured against old categories. The remapping of existing applications into these new categories will be completed by January 30, 2026\. This timeline allows you a dedicated period to: * Review the new category structure. * Identify any policies you have that target the older categories. * Adjust your rules to reference the new, more precise categories before the old mappings change. Once the applications have been fully remapped by January 30, 2026, you might observe some changes in the traffic being mitigated or allowed by your existing policies. We encourage you to use the intervening time to prepare for a smooth transition. **Applications being remappedd** | Application Name | Existing Category | New Category | | ------------------------------- | ----------------- | ---------------------------- | | Google Photos | File Sharing | Photography & Graphic Design | | Flickr | File Sharing | Photography & Graphic Design | | ADP | Human Resources | Business | | Greenhouse | Human Resources | Business | | myCigna | Human Resources | Health & Fitness | | UnitedHealthcare | Human Resources | Health & Fitness | | ZipRecruiter | Human Resources | Business | | Amazon Business | Human Resources | Business | | Jobcenter | Human Resources | Business | | Jobsuche | Human Resources | Business | | Zenjob | Human Resources | Business | | DocuSign | Legal | Business | | Postident | Legal | Business | | Adobe Creative Cloud | Productivity | Photography & Graphic Design | | Airtable | Productivity | Development | | Autodesk Fusion360 | Productivity | IT Management | | Coursera | Productivity | Education | | Microsoft Power BI | Productivity | Business | | Tableau | Productivity | Business | | Duolingo | Productivity | Education | | Adobe Reader | Productivity | Business | | AnpiReport | Productivity | Travel | | ビズリーチ | Productivity | Business | | doda (デューダ) | Productivity | Business | | 求人ボックス | Productivity | Business | | マイナビ2026 | Productivity | Business | | Power Apps | Productivity | Business | | RECRUIT AGENT | Productivity | Business | | シフトボード | Productivity | Business | | スタンバイ | Productivity | Business | | Doctolib | Productivity | Health & Fitness | | Miro | Productivity | Photography & Graphic Design | | MyFitnessPal | Productivity | Health & Fitness | | Sentry Mobile | Productivity | Travel | | Slido | Productivity | Photography & Graphic Design | | Arista Networks | Productivity | IT Management | | Atlassian | Productivity | Business | | CoderPad | Productivity | Business | | eAgreements | Productivity | Business | | Vmware | Productivity | IT Management | | Vmware Vcenter | Productivity | IT Management | | AWS Skill Builder | Productivity | Education | | Microsoft Office 365 (GCC) | Productivity | Business | | Microsoft Exchange Online (GCC) | Productivity | Business | | Canva | Sales & Marketing | Photography & Graphic Design | | Instacart | Shopping | Food & Drink | | Wawa | Shopping | Food & Drink | | McDonald's | Shopping | Food & Drink | | Vrbo | Shopping | Travel | | American Airlines | Shopping | Travel | | Booking.com | Shopping | Travel | | Ticketmaster | Shopping | Entertainment & Events | | Airbnb | Shopping | Travel | | DoorDash | Shopping | Food & Drink | | Expedia | Shopping | Travel | | EasyPark | Shopping | Travel | | UEFA Tickets | Shopping | Entertainment & Events | | DHL Express | Shopping | Business | | UPS | Shopping | Business | For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). Oct 28, 2025 1. ### [New Application Categories added for HTTP Traffic Management](https://developers.cloudflare.com/changelog/post/gateway-application-categories-added/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product. We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications: * Business * Education * Entertainment & Events * Food & Drink * Health & Fitness * Lifestyle * Navigation * Photography & Graphic Design * Travel The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories. The full remapping will be completed by January 30, 2026. We encourage you to use this time to: * Review the new category structure. * Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition. For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). Oct 20, 2025 1. ### [Schedule DNS policies from the UI](https://developers.cloudflare.com/changelog/post/2025-10-20-schedule-dns-policies-from-the-ui/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) Admins can now create [scheduled DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights. * **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more. * **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day. * **Timezone Control**: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user. * **Combined with Duration**: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence. You can see the flow in the demo GIF: ![Schedule DNS policies demo](https://developers.cloudflare.com/_astro/gateway-dns-scheduled-policies-ui.Cf4l1OTE_Z9szVM.webp) This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API. Oct 10, 2025 1. ### [New domain categories added](https://developers.cloudflare.com/changelog/post/2025-10-10-new-domain-categories/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering. **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ----------- | ----------- | ------------------- | | 26 | Technology | 194 | Keep Awake Software | | 26 | Technology | 192 | Remote Access | | 26 | Technology | 193 | Shareware/Freeware | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. Sep 30, 2025 1. ### [Application granular controls for operations in SaaS applications](https://developers.cloudflare.com/changelog/post/2025-09-25-new-granular-controls-for-saas-applications/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) Gateway users can now apply granular controls to their file sharing and AI chat applications through [HTTP policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies). The new feature offers two methods of controlling SaaS applications: * **Application Controls** are curated groupings of Operations which provide an easy way for users to achieve a specific outcome. Application Controls may include _Upload_, _Download_, _Prompt_, _Voice_, and _Share_ depending on the application. * **Operations** are controls aligned to the most granular action a user can take. This provides a fine-grained approach to enforcing policy and generally aligns to the SaaS providers API specifications in naming and function. Get started using [Application Granular Controls](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls) and refer to the list of [supported applications](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/granular-controls/#compatible-applications). Sep 25, 2025 1. ### [Refine DLP Scans with New Body Phase Selector](https://developers.cloudflare.com/changelog/post/2025-09-25-body-phase-selector/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) You can now more precisely control your HTTP DLP policies by specifying whether to scan the request or response body, helping to reduce false positives and target specific data flows. In the Gateway HTTP policy builder, you will find a new selector called _Body Phase_. This allows you to define the direction of traffic the DLP engine will inspect: * _Request Body_: Scans data sent from a user's machine to an upstream service. This is ideal for monitoring data uploads, form submissions, or other user-initiated data exfiltration attempts. * _Response Body_: Scans data sent to a user's machine from an upstream service. Use this to inspect file downloads and website content for sensitive data. For example, consider a policy that blocks Social Security Numbers (SSNs). Previously, this policy might trigger when a user visits a website that contains example SSNs in its content (the response body). Now, by setting the **Body Phase** to _Request Body_, the policy will only trigger if the user attempts to upload or submit an SSN, ignoring the content of the web page itself. All policies without this selector will continue to scan both request and response bodies to ensure continued protection. For more information, refer to [Gateway HTTP policy selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#body-phase). Sep 11, 2025 1. ### [DNS filtering for private network onramps](https://developers.cloudflare.com/changelog/post/2025-09-11-dns-filtering-for-private-network-onramps/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) [Magic WAN](https://developers.cloudflare.com/cloudflare-wan/zero-trust/cloudflare-gateway/#dns-filtering) and [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/#configure-dns-resolver-on-devices) users can now securely route their DNS traffic to the Gateway resolver without exposing traffic to the public Internet. Routing DNS traffic to the Gateway resolver allows DNS resolution and filtering for traffic coming from private networks while preserving source internal IP visibility. This ensures Magic WAN users have full integration with our Cloudflare One features, including [Internal DNS](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/#internal-dns) and [hostname-based policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#selector-prerequisites). To configure DNS filtering, change your Magic WAN or WARP Connector DNS settings to use Cloudflare's shared resolver IPs, `172.64.36.1` and `172.64.36.2`. Once you configure DNS resolution and filtering, you can use _Source Internal IP_ as a traffic selector in your [resolver policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/resolver-policies/) for routing private DNS traffic to your [Internal DNS](https://developers.cloudflare.com/dns/internal-dns/). Aug 27, 2025 1. ### [Shadow IT - SaaS analytics dashboard](https://developers.cloudflare.com/changelog/post/2025-08-27-shadow-it-analytics/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) Zero Trust has significantly upgraded its **Shadow IT analytics**, providing you with unprecedented visibility into your organizations use of SaaS tools. With this dashboard, you can review who is using an application and volumes of data transfer to the application. You can review these metrics against application type, such as Artificial Intelligence or Social Media. You can also mark applications with an approval status, including **Unreviewed**, **In Review**, **Approved**, and **Unapproved** designating how they can be used in your organization. ![Cloudflare One Analytics Dashboards](https://developers.cloudflare.com/_astro/shadow-it-analytics.BLNnG72w_Z1vDznE.webp) These application statuses can also be used in Gateway HTTP policies, so you can block, isolate, limit uploads and downloads, and more based on the application status. Both the analytics and policies are accessible in the Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/), empowering organizations with better visibility and control. Aug 21, 2025 1. ### [Gateway BYOIP Dedicated Egress IPs now available.](https://developers.cloudflare.com/changelog/post/2025-08-21-byoip-dedicated-egress-ip/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) Enterprise Gateway users can now use Bring Your Own IP (BYOIP) for dedicated egress IPs. Admins can now onboard and use their own IPv4 or IPv6 prefixes to egress traffic from Cloudflare, delivering greater control, flexibility, and compliance for network traffic. Get started by following the [BYOIP onboarding process](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Once your IPs are onboarded, go to **Gateway** \> **Egress policies** and select or create an egress policy. In **Select an egress IP**, choose _Use dedicated egress IPs (Cloudflare or BYOIP)_, then select your BYOIP address from the dropdown menu. ![Screenshot of a dropdown menu adding a BYOIP IPv4 address as a dedicated egress IP in a Gateway egress policy](https://developers.cloudflare.com/_astro/Gateway-byoip-dedicated-egress-ips.D0pzLAbV_8yK6N.webp) For more information, refer to [BYOIP for dedicated egress IPs](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/#bring-your-own-ip-address-byoip). Jul 28, 2025 1. ### [Scam domain category introduced under Security Threats](https://developers.cloudflare.com/changelog/post/2025-07-28-spam-domain-category-introduced/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) We have introduced a new Security Threat category called **Scam**. Relevant domains are marked with the Scam category. Scam typically refers to fraudulent websites and schemes designed to trick victims into giving away money or personal information. **New category added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | ---------------- | ----------- | ------------- | | 21 | Security Threats | 191 | Scam | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. Jul 24, 2025 1. ### [Gateway HTTP Filtering on all ports available in open BETA](https://developers.cloudflare.com/changelog/post/2025-07-24-http-inspection-on-all-ports/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) can now apply [HTTP filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) to all proxied HTTP requests, not just traffic on standard HTTP (`80`) and HTTPS (`443`) ports. This means all requests can now be filtered by [A/V scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [file sandboxing](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/file-sandboxing/), [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/#data-in-transit), and more. You can turn this [setting](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports) on by going to **Settings** \> **Network** \> **Firewall** and choosing _Inspect on all ports_. ![HTTP Inspection on all ports setting](https://developers.cloudflare.com/_astro/Gateway-Inspection-all-ports.CCmwX6D0_OoDoS.webp) To learn more, refer to [Inspect on all ports (Beta)](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/#inspect-on-all-ports). Jul 22, 2025 1. ### [Google Bard Application replaced by Gemini](https://developers.cloudflare.com/changelog/post/2025-08-15-gemini-application-replaces-bard/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) The **Google Bard** application (ID: 1198) has been deprecated and fully removed from the system. It has been replaced by the **Gemini** application (ID: 1340). Any existing Gateway policies that reference the old Google Bard application will no longer function. To ensure your policies continue to work as intended, you should update them to use the new Gemini application. We recommend replacing all instances of the deprecated Bard application with the new Gemini application in your Gateway policies. For more information about application policies, please see the [Cloudflare Gateway documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/). Jun 18, 2025 1. ### [Gateway will now evaluate Network policies before HTTP policies from July 14th, 2025](https://developers.cloudflare.com/changelog/post/2025-06-17-new-order-of-enforcement/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) will now evaluate [Network (Layer 4) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/) **before** [HTTP (Layer 7) policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/). This change preserves your existing security posture and does not affect which traffic is filtered — but it may impact how notifications are displayed to end users. This change will roll out progressively between **July 14–18, 2025**. If you use HTTP policies, we recommend reviewing your configuration ahead of rollout to ensure the user experience remains consistent. #### Updated order of enforcement **Previous order:** 1. DNS policies 2. HTTP policies 3. Network policies **New order:** 1. DNS policies 2. **Network policies** 3. **HTTP policies** #### Action required: Review your Gateway HTTP policies This change may affect block notifications. For example: * You have an **HTTP policy** to block `example.com` and display a block page. * You also have a **Network policy** to block `example.com` silently (no client notification). With the new order, the Network policy will trigger first — and the user will no longer see the HTTP block page. To ensure users still receive a block notification, you can: * Add a client notification to your Network policy, or * Use only the HTTP policy for that domain. --- #### Why we’re making this change This update is based on user feedback and aims to: * Create a more intuitive model by evaluating network-level policies before application-level policies. * Minimize [526 connection errors](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/#error-526-in-the-zero-trust-context) by verifying the network path to an origin before attempting to establish a decrypted TLS connection. --- To learn more, visit the [Gateway order of enforcement documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/order-of-enforcement/). May 29, 2025 1. ### [New Gateway Analytics in the Cloudflare One Dashboard](https://developers.cloudflare.com/changelog/post/gateway-analytics-v2/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)[ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/) Users can now access significant enhancements to Cloudflare Gateway analytics, providing you with unprecedented visibility into your organization's DNS queries, HTTP requests, and Network sessions. These powerful new dashboards enable you to go beyond raw logs and gain actionable insights into how your users are interacting with the Internet and your protected resources. You can now visualize and explore: * Patterns Over Time: Understand trends in traffic volume and blocked requests, helping you identify anomalies and plan for future capacity. * Top Users & Destinations: Quickly pinpoint the most active users, enabling better policy enforcement and resource allocation. * Actions Taken: See a clear breakdown of security actions applied by Gateway policies, such as blocks and allows, offering a comprehensive view of your security posture. * Geographic Regions: Gain insight into the global distribution of your traffic. ![Gateway Analytics](https://developers.cloudflare.com/_astro/gateway-analytics.BdSwbIBb_1WTkQL.webp) To access the new overview, log in to your Cloudflare [Zero Trust dashboard ↗](https://one.dash.cloudflare.com/) and go to Analytics in the side navigation bar. May 27, 2025 1. ### [Gateway Protocol Detection Now Available for PAYGO and Free Plans](https://developers.cloudflare.com/changelog/post/2025-05-27-protocol-detection-availability/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) All Cloudflare One Gateway users can now use Protocol detection logging and filtering, including those on Pay-as-you-go and Free plans. With Protocol Detection, admins can identify and enforce policies on traffic proxied through Gateway based on the underlying network protocol (for example, HTTP, TLS, or SSH), enabling more granular traffic control and security visibility no matter your plan tier. This feature is available to enable in your account network settings for all accounts. For more information on using Protocol Detection, refer to the [Protocol detection documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/network-policies/protocol-detection/). May 14, 2025 1. ### [Domain Categories improvements](https://developers.cloudflare.com/changelog/post/2025-05-14-domain-category-improvements/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) **New categories added** | Parent ID | Parent Name | Category ID | Category Name | | --------- | --------------------- | ----------- | ----------------------------- | | 1 | Ads | 66 | Advertisements | | 3 | Business & Economy | 185 | Personal Finance | | 3 | Business & Economy | 186 | Brokerage & Investing | | 21 | Security Threats | 187 | Compromised Domain | | 21 | Security Threats | 188 | Potentially Unwanted Software | | 6 | Education | 189 | Reference | | 9 | Government & Politics | 190 | Charity and Non-profit | **Changes to existing categories** | Original Name | New Name | | ------------- | ----------------------- | | Religion | Religion & Spirituality | | Government | Government/Legal | | Redirect | URL Alias/Redirect | Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more. May 13, 2025 1. ### [New Applications Added for DNS Filtering](https://developers.cloudflare.com/changelog/post/2025-05-13-new-applications-added/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic. With this update, you can: * Create DNS policies for a wider range of applications * Manage outbound traffic more effectively * Improve your organization's security and compliance posture For more information on creating DNS policies, see our [DNS policy documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/). Apr 28, 2025 1. ### [FQDN Filtering For Gateway Egress Policies](https://developers.cloudflare.com/changelog/post/2025-04-28-fdqn-filtering-egress-policies/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies. * Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta. * During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation. * For WARP client support, additional configuration is required. For more information, refer to the [WARP client configuration documentation](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/#limitations). ![Egress by FQDN and Hostname](https://developers.cloudflare.com/_astro/Gateway-Egress-FQDN-Policy-preview.Civon5p8_Z2hcuQE.webp) This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path. Apr 11, 2025 1. ### [HTTP redirect and custom block page redirect](https://developers.cloudflare.com/changelog/post/2025-04-11-http-redirect-custom-block-page-redirect/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) You can now use more flexible redirect capabilities in Cloudflare One with Gateway. * A new **Redirect** action is available in the HTTP policy builder, allowing admins to redirect users to any URL when their request matches a policy. You can choose to preserve the original URL and query string, and optionally include policy context via query parameters. * For **Block** actions, admins can now configure a custom URL to display when access is denied. This block page redirect is set at the account level and can be overridden in DNS or HTTP policies. Policy context can also be passed along in the URL. Learn more in our documentation for [HTTP Redirect](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#redirect) and [Block page redirect](https://developers.cloudflare.com/cloudflare-one/reusable-components/custom-pages/gateway-block-page/#redirect-to-a-block-page). Mar 21, 2025 1. ### [Secure DNS Locations Management User Role](https://developers.cloudflare.com/changelog/post/2025-03-21-pdns-user-locations-role/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) We're excited to introduce the [**Cloudflare Zero Trust Secure DNS Locations Write role**](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations), designed to provide DNS filtering customers with granular control over third-party access when configuring their Protective DNS (PDNS) solutions. Many DNS filtering customers rely on external service partners to manage their DNS location endpoints. This role allows you to grant access to external parties to administer DNS locations without overprovisioning their permissions. **Secure DNS Location Requirements:** * Mandate usage of [Bring your own DNS resolver IP addresses ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/dns-resolver-ips/#bring-your-own-dns-resolver-ip) if available on the account. * Require source network filtering for IPv4/IPv6/DoT endpoints; token authentication or source network filtering for the DoH endpoint. You can assign the new role via Cloudflare Dashboard (`Manage Accounts > Members`) or via API. For more information, refer to the [Secure DNS Locations documentation ↗](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/locations/#secure-dns-locations). [Search all changelog entries](https://developers.cloudflare.com/search/?contentType=Changelog+entry)